CVE-2021-27173 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-27173?

CVE-2021-27173 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to bypass firewall rules and enable telnet access on FiberHome HG6245D routers. It affects devices running firmware through RP2613, exposing them to remote command execution and network compromise. Anyone using these routers with default configurations is vulnerable.

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass firewall rules and enable telnet access on FiberHome HG6245D routers. It affects devices running firmware through RP2613, exposing them to remote command execution and network compromise. Anyone using these routers with default configurations is vulnerable.

💻 Affected Systems

Products:

FiberHome HG6245D

Versions: All versions through RP2613

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with default configurations where HTTP management interface is accessible.

📦 What is this software?

Hg6245d Firmware by Fiberhome

View all CVEs affecting Hg6245d Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, modify DNS settings, install persistent backdoors, and pivot to internal network devices.

🟠

Likely Case

Router takeover enabling traffic monitoring, credential theft, and use as pivot point for attacking other devices on the network.

🟢

If Mitigated

Limited impact if telnet service is already disabled and firewall rules are properly configured, though backdoor API remains accessible.

🌐 Internet-Facing: HIGH - HTTP server is typically internet-facing on these routers, allowing direct exploitation from anywhere.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires calculating BR0_MAC value, which is documented in public research. Simple HTTP request to backdoor API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check vendor website for firmware updates beyond RP2613.

🔧 Temporary Workarounds

Disable HTTP management interface

linux

Block external access to router's HTTP management interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable telnet service

all

Permanently disable telnet service on router

telnetd -l /bin/ash -p 23 &
killall telnetd

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for telnet connection attempts to router

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to router IP: http://[router-ip]/telnet?enable=0&key=[calculated_BR0_MAC]. If response indicates success, device is vulnerable.

Check Version:

Check router web interface or use nmap -sV -p 80 [router-ip] to identify firmware

Verify Fix Applied:

Attempt same request - should fail or return error. Verify telnet port 23 is closed.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /telnet endpoint
Unexpected telnet service starts
Firewall rule changes

Network Indicators:

Telnet connections to router on port 23
HTTP requests with enable and key parameters

SIEM Query:

source="router.log" AND (uri="/telnet" OR "telnet?enable")

📊 Metadata

CVE ID: CVE-2021-27173

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-infoleak Exploit,Third Party Advisory
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-infoleak Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON